strengthening employee’s responsibility to enhance governance of it – cobit raci chart case...
DESCRIPTION
Presentation of paper "Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study" at WISG ACM conference, Chicago, 2006.TRANSCRIPT
The 1st ACM Workshop on
Information Security Governance
November 13, 2009
Chicago, USA
Strengthening Employee’s Responsibility to Enhance Governance of IT – COBIT RACI Chart Case Study
Christophe Feltus, Michaël Petit, Eric Dubois
Public Research Center Henri Tudor, Luxembourg-Kirchberg, Luxembourg
PReCISE Research Centre, Faculty of Computer Science, University of Namur, Belgium
The research was funded by the National Research Fund of Luxemburg
Introduction :
• Governance of IT is becoming more and more necessary
Sarbanes-Oxley Act ▫ Transparency regarding account
Basel II ▫ Management of operational risk and people affectation for that task
ISO/IEC 38500:2008 ▫ Provide 6 principles for corporate governance of IT
▫ One principle dedicated to responsibility
• Need for more responsibility, transparency, accountability, ethic, commitment
Introduction :
• Companies are used to work with well-known management framework like :
ITIL (IT Information Library) ▫ a public library that focuses on IT services management for high-quality
service provision
CIMOSA ▫ an enterprise architecture model to define industrial computer system
architecture
ISO/IEC 15504 [7] ▫ a framework for the assessment of software processes
CobiT
• As much responsibility models as frameworks
Introduction :
• Many responsibility models means : ▫ No consensus between frameworks / no unique one
▫ No interoperability
▫ Many interpretations of the concepts
• Objective of the research : ▫ Defining a common responsibility model
• Research methodology : ▫ Analyse of the literature
▫ Elaboration of a responsibility model
▫ Successive refinement by comparing it with professional framework
Responsibility
Responsibility: Foreword
• Responsibility : abstract or concret concept ?
• Many definitions in the literature
• L. Cholvy proposes 3 of them : • Something bad happened and you caused it or could have prevented it
• Obligation or moral duty to report or explain you actions or someone else’s action to a given authority (answerability)
• Position, which enables you to make decisions in a given organization but implies that you must be prepared to justify your actions (accountablity)
• ∆ def 1 def 2 = blame
• ∆ def 2 def 3 = answerability ≠ accountability = position (rules)
Responsibility
Responsibility: Foreword
• D'Arcy McCallum : ▫ Responsibility is not something that you can actually assign to someone
▫ Responsibility, in fact, has to come from within
▫ A person is responsible: we mean that he holds a personal commitment to doing something to some standard of quality
▫ And while you cannot assign responsibility, you can and do assign accountability...with the expectation that a person will execute the activity assigned to them to a standard of quality
• Commonly accepted responsibility definitions encompass the idea of “having the obligation to ensure that something happens”.
Accountability
Sanction Answerability
Compose Compose
1
1 1
0..1
1 Compose
1..*
Accountability :
o Obligation or moral duty to report or explain the action or someone else’s action to a given
authority [Cholvy et al.]
o Obligation(s) to report the achievement, maintenance or avoidance of some given state
[Sommerville et al.]
o Accountability is composed of one answerability and zero or one sanction [Fox]
Accountability
Responsibility
Functional vs. Managerial Obligation
Obligation : most frequent concept Functional vs. Structural Obligation [Dobson] :
o functional obligation : what a employee must do with respect to a state of affairs (e.g. execute an activity)
o structural (managerial) obligation : what a employee must do in order to fulfill a responsibility such as directing, supervising and monitoring
Concern 1 1
Obligation
Functional Obligation
Managerial Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
Compose Compose
1
1 1
0..1
1 Compose
1..*
Responsibility
Soft Accountability
Hard Accountability
Type of
Type of
Positive Sanction Negative Sanction
Type of Type of
Opaque Clear
Type of Type of
Transparency Generate
1 Compose
1..*
Responsibility
o Sanction is positive or negative also : compensation or a remediation [Fox]
o Transparency is clear : information access policies & reliable information
o Transparency is opaque : information reveled nominally and ponctually
Accountability
Sanction Answerability
Compose
1
1 1
0..1
1 Compose
1..*
Responsibility
Compose
Accountability, Answerability, Transparency
Rights
o Common but not systematically embedded concept
o Capability : describes the possession of requisite qualities , skills or resourcs to performan action
[Vernadat,F.B.][Yu et. Al][Qingfeng et al.]
o Authority : the power to command and control others employees (CIMOSA)
o Delegation right : right to transfer some part of the responsibility to another employee
Access Right
Type of
Authority Type
of
Needed for
Right
Capability
Type of
Require
1 0..*
Delegation Possibility
Type of
Accountability
Sanction Answerability
Compose
1
1 1
0..1
1 Compose
1..*
Responsibility
Compose
Concern 1 1
Obligation
Functional Obligation
Managerial Obligation
Type of Type of
Concern
1..* 0..*
1
Delegation
Employee
Delegation vs. affectation :
o Affectation or Assignment is the action of linking an employee to a responsibility
o Delegation is the transfer of an employee’s responsibility assignment to another employee
Right to further delegate the same obligation or not [Sommerville]
Delefation of accountability or not [Norman]
Employee 1 0..*
Commitment Antecedents
Commitment Activate
Type of 1..* 1
Pledge
Delegation
Require
1
1..* 0..*
1..*
Is delegated
Delegate
Concernes
Concern 1 1
Obligation
Functional Obligation
Managerial Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
Compose
1
1 1
0..1
Compose 1..*
Responsibility
Compose
Right
Capability
Type of
Require
1 0..*
Delegation Possibility
Type of
Commitment Antecedents
Commitment
Commitment
o Moral engagement to fulfill the action difficult to integrate in a formalized framework
o The psychological attachment felt by the person for the organization; it will reflect the degree to which the
individual internalizes or adopts characteristics or perspetives of the organization [O’Reilly and Chapman]
o The relative strength of an individual’s identification with and involvement in a particular organization
[Mowday]
o A structural phenomenon which occurs as a result of individual-organizational transactions and alterations
in side-bets or investment over time [Hrebiniak and Alutto]
Right
Capability
Require
1 0..* Employee
1 0..*
Activate
Type of 1..* 1
Pledge Delegation Possibility
Delegation
Require
1
1..* 0..*
1..*
Is delegated
Delegate
Concernes
Type of
Concern 1 1
Obligation
Functional Obligation
Managerial Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
Compose
1
1 1
0..1
Compose 1..*
Responsibility
Compose
Type of
1
Continuance
Type of
Affective Normative
Type of Type of
Commitment Outcomes
Citizen Behavior
Type of
Provide
1 0..*
Employee Retention
Type of
Employee Performance
Type of
Willingness to Exert Efforts
Type of Activate
1..*
1
Side-bets Desire Maintain Membership Belief in Goals
And Values
Contribute to Contribute to
Contribute to Feeling of Obligation
Contribute to
Type of Type of Type of
Type of
Commitment Antecedents
Commitment
Commitment
Complete responsibility model
Commitment Antecedents
Commitment
1
Employee 1 0..*
Activate
1..* 1
Pledge
Delegation
0..*
1..*
Is delegated
Delegate
Concernes
Concern 1 1
Obligation
Functional Obligation
Managerial Obligation
Type of Type of
Concern
1..* 0..*
Accountability
Sanction Answerability
Compose
1
1 1
0..1
Compose 1..*
Responsibility
Compose
Right Require
1 0..*
The COBIT responsibility model
Control
Action
1 1..* Employee
Role 0..*
0..*
Is hold
o COBIT’s control are composed of actions to perform (obligation)
o Employees hold roles like CEO, CFO, CIO, PMO, Head Operation, Business Executive,…
o COBIT responsibility model is formalized through a RACI chart matrix attached to all 34
COBIT processes.
o RACI stands for Responsible, Accountable, Consulted and Informed
o Role may be Responsible, Accountable, Consulted and Informed depending on the control
and the task to perform.
RACI Chart
Responsible
Accountable
Consulted
Informed
Control
The COBIT responsibility model
Employee
Role
Action
1
0..*
0..*
1..*
Is hold
RACI Chart
o Responsibility and Accountability at the same conceptual level part of the RACI chart
o Accountability : the employee who provides direction and authorizes an action
o Responsibility : the employee who gets the action done
o “An individual assumes his/her responsibility and is usually held accountable”
It is possible or not to be responsible and accountable at the same time
o “IT management has the resources and accountability needed to meet service level targets”
Accountability is possessed and as consequence, may be seen as rather a capability (or a right) than an
accountability (or an obligation).
Responsible
Accountable
Consulted
Informed
Affected to
0..*
0..*
0..*
0..*
0..*
0..*
1..*
1..* Affected to
Analyzed by
Viewable by
0..*
0..*
0..* 0..*
1..*
1..*
1..*
1..*
Affected to
Affected to
Affected to
Affected to
Responsible
Control Affected to
0..*
The COBIT responsibility model
Accountable
Consulted
Informed
Employee
Role
Action
RACI Chart
1
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..* 0..*
0..*
0..*
0..*
Capability
Needs
0..*
0..*
1..* 1..*
1..*
1..*
1..*
1..*
1..*
Affected to
Analyzed by
Viewable by
Affected to
Affected to
Affected to
Affected to
Is hold
o Capability doen’s exist systematically in COBIT. It is necessary for an employee to
perform an action
o Authorithy : ”person or group who has the authority to approve or accept the
execution of an action”
A type of right to approved or accept an action. Authority is something provided to the person
responsible. I.e. the action ”Assigning sufficient authority to the problem manager”
Capability
Needs
0..* Responsible
Control Affected to
0..*
The COBIT responsibility model
Accountable
Consulted
Informed
Employee
Role
Action
RACI Chart
1
0..*
0..*
0..*
0..*
0..*
0..*
0..*
0..* 0..*
0..*
0..*
0..*
0..*
1..* 1..*
1..*
1..*
1..*
1..*
1..*
Affected to
Analyzed by
Viewable by
Affected to
Affected to
Affected to
Affected to
Is hold
Commitment Pledge
0..* 1
0..*
0..*
1
1
o Assignement/delegation appears sporadically in COBIT and concerns mainly the
capability or even the responsibility.
o Commitment (appears in many controls but not explicitely defined)
[…] employees are mindful of their compliance obligation (commitment antecedent)
“A positive, proactive information control environment, including a commitment to quality and IT
security awareness, is established”
“Obtain commitment and participation from the affected employees in the definition and execution
of the project […]”
1
Accountability Obligation
Sanction Answerability Managerial Obligation
Functional Obligation
Type of Type of Compose Compose
Compose
Compose
Compose
1..* 1 1
1
1 1
1..*
0..1
0..*
Right
Capability
Type of
Require
1 0..* Responsibility Employee
Affectation /Delegation
1 0..*
Commitment Antecedents
Commitment Activate
Type of 1..* 1
Pledge
o Obligation, Right, Capability and Commitment are systematically integrated
o Accountability no more perceived as an attribute that links an employee to an action and that
is on the same level as the responsibility but as a component that composes this responsibility.
o Informed no more perceived as a type of allocation/assignment of “role – action” but as a type
of right for responsibility.
o Consulted is no more seen as a type of allocation/delegation of “role – action” but as a type of
responsibility.
Proposed integration in COBIT
Consulted Type of
Informed
Type of
Responsibility
Accountability
Cobit RACI Chart Case Study
• Action : Identify system owner’s
• From : PO4 Define the IT Processes, Organisation and relationship
• RACI :
Activity Function
CFO Business Executive
CIO Business Process Owner
Head Operation
Chief Architect
Head Development
Head IT Administration
PMO Compliance, Audit, Risk
and Security
Identify System Owners
C C A C R I I I I I
Enhancement 1
• HO is responsible, he gets the activity done but is not accountable for it. What happen if he doesn’t do it ?
• CIO is accountable. He is answerable and sanctionable.
HO is responsible and accountable for the task
CIO is responsible and accountable for the managerial obligation regarding the task.
Activity Function
CFO Business Executive
CIO Business Process Owner
Head Operation
Chief Architect
Head Development
Head IT Administration
PMO Compliance, Audit, Risk
and Security
Identify System Owners
C C A C R I I I I I
Enhancement 2
• CFO, BE and BPO are consulted. Does it imply something for them ?
Consulted is not only a function. It is a responsibility.
This means that responibility components needs to be clarify i.e. : the obligation, the accountability, or the right.
Activity Function
CFO Business Executive
CIO Business Process Owner
Head Operation
Chief Architect
Head Development
Head IT Administration
PMO Compliance, Audit, Risk
and Security
Identify System Owners
C C A C R I I I I I
Enhancement 3
• CA, HD, HITA, PMO, CARS are informed. Is the information for everyone absolutly necessary ?
Informed is more a right than a function. Consequently, it should be attached to another task and a link should be created between the information and its use for another task.
Activity Function
CFO Business Executive
CIO Business Process Owner
Head Operation
Chief Architect
Head Development
Head IT Administration
PMO Compliance, Audit, Risk
and Security
Identify System Owners
C C A C R I I I I I
Conclusion
• Willingness to improve the governance of IT advocates for the definition of an innovative responsibility model, including meaningful responsibility concept.
• Afterward, we have compare the responsibility model with the COBIT RACI chart and we have detected possible improvements.
• Identify system owners action has been depicted to illustrate the added value of the model.
Thank you !
References • Christophe Feltus, Preliminary Literature Review of Policy Engineering Methods - Toward
Responsibility Concept, International Conference on Information & Communication Technologies: from Theory to Applications (IEEE ICTTA2008), May 2008, Damascus, Syria.
• Christophe Feltus, Michaël Petit, Building a Responsibility Model Including Accountability, Capability and Commitment, Fourth International Conference on Availability, Reliability and Security (“ARES 2009 – The International Dependability Conference”), IEEE, March 2009, Fukuoka, Japan.
• Christophe Feltus, Michaël Petit, Building a Responsibility Model using Modal Logic - Towards Accountability, Capability and Commitment Concepts, The seventh ACS/IEEE International Conference on Computer Systems and Applications (AICCSA-09) IEEE, May 2009, Rabat, Morocco.
• Christophe Feltus, Michaël Petit, François Vernadat, Enhancement of CIMOSA with Responsibility Concept to Conform to Principles of Corporate Governance of IT, 13th IFAC Symposium on Information Control Problems in Manufacturing, June 2009, Moscow, Russia.